Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Re: Managing many alerts simultaneously
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Am I able to edit many alerts simultaneously?
I am currently managing 50 alerts and this number will multiply in the next couple of weeks. Editing my alerts is cumbersome. If I want to change a common property, I have to change every single instance by itself. Is there a way to change an alert property like its permissions, or triggers, for multiple alerts at a time?
I have looked at "Alert Manager", but it seems to be tailored to managing incidents, not the actual alerts in of itself.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sebkue
If you have access to the file system, you could make bulk changes to saved searches through the config files.
Permissions can be found in [$SPLUNK_HOME$]\etc\apps\[your app]\metadata\local.meta. The admin manual page is here
All other search attributes (action, email, search string, etc.) can be found in [$SPLUNK_HOME$]\etc\apps\[your app]\local\savedsearches.conf. The admin manual page is here.
It's not the most elegant way, but I'm not aware of any way to make bulk changes within the UI.
Hope that helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk does not offer a sane means to manage Alerts in great numbers at all. The User Interface is vacant of assistance in this regard, a large list that makes no effort to show the last edited row - leaving the user to fumble through, choosing the same item repeatedly or missing items easily. Splunk relies on the Browser for basic navigation functionality between pages but did not consider users' needs when navigating and working with mechanisms more bespoke. I hope this comment resonates with someone at Splunk to address this, because it is a big deal and the product in its current state is ripe for disruption.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please also note that the Permissions Dialog intermittently closes itself with or without interaction, when it does so with interaction the outcome is erroneous - it seems you made a change but no change was made. The list does not put any effort into showing that a change was or wasn't made nor which item you were last editing. Highly vulnerable to human error.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Permissions Dialog will also occasionally open without content, only showing the close (x), CANCEL, and SAVE button but not responding to them. It seems that clicking outside of the Dialog or forcing a browser refresh is the only way out of that erroneous state. Managing Alerts is really in the 3rd World of Internet.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not have access to the file system. Is there a reason that bulk editing alerts is not a feature?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
